Care & Feeding of Your WordPress Website
(Updated 10/2/21) So, WordPress is installed, and your website is up. Your theme is customized just the way you want it, and all of your content has been uploaded. Now you can sit back and forget about it until the next time you want to change the content, right? Unfortunately, no.
Your WordPress Website is a Car, Not a Poster
Every week I hear from site owners who think of their website as something static, like a poster on the internet. But the internet is a complex and constantly changing environment. WordPress must constantly change with it. Then WordPress themes and plugins have to change to stay compatible with the WordPress core. When authors discontinue updating themes or plugins, they may cease to work, or worse yet, continue to work, but become vulnerable to hacking.
And hacking is not the only risk. All of these different moving parts, created by different people, have to interact with each other. The possible combinations of themes and plugins are endless, so there are bound to be a few incompatibilities, even when everything is up to date. These incompatibilities can cause your site to display or function incorrectly, or even to crash.
The truth is, your WordPress website is more like a car than a poster. It requires ongoing monitoring and maintenance. You may be able to neglect maintenance for awhile, and see no visible repercussions, but just like with your car, this will catch up with you sooner or later. And just like your car, an ounce of prevention can save you a ton of down time, money, stress, and regret.
The biggest potential risk of neglect is hacking. You may think your site’s risk of getting hacked is small, especially if it doesn’t get a lot of traffic. Don’t you believe it. Small, unattended sites are hacker candy (if you want to know why, check out Why Is an Insignificant Site Like Mine Being Attacked? from WordPress security leaders, Wordfence. And they don’t even mention hackers who want to post ads on your site).
Sad, but true, hackers will find your website long before your target audience does. While you’re out looking for your audience, hackers are out looking for you.
Why Hackers Love WordPress
Why do hackers love WordPress? WordPress and its free themes and plugins are “open source.” That means that the programming code is public. Every time an update is released, hackers can compare the new and old code. Once they find a change that was made to correct a security vulnerability, they know how to hack any site that hasn’t updated to the new version yet. Don’t let your site become one of them.
Hackers know that many WordPress sites are built by people who know little or nothing about site security. If your friend or family member built a site for you, that is a labor of love, and I don’t mean to detract from it. But they may not have thought to read up on what the site needed after it was built.
A more common scenario is for build ‘n run developers to set up websites using premium (paid) themes and plugins, without informing you that you will need to purchase licenses to access updates. In fact, to avoid revealing this, they typically don’t mention maintenance at all. As site components become more and more out of date, they become vulnerable to hacking.
Is Being Hacked That Big of a Deal?
People who have been hacked never ask that question! Being hacked is a huge hassle. It can take down your website, but that’s the least of the risks. Hacked sites are frequently used to distribute malware, which can get your domain blacklisted and removed from search engine results. Your clients or customers won’t be happy with you if their own computers get infected from visiting your site. Most importantly for anyone who is using email addresses based on their website domain, it can cause mail servers to block all email coming from or going to those email addresses, bringing your business to a dead stop.
Your WordPress website is made up of thousands of files, and malicious code will quickly spread itself to as many of them as it can. Recovering from a hack can take a lot of time and money. I refer hacked site owners to Defiant for hack cleanup. Defiant is the author of the Wordfence security plugin, and is widely acknowledged as the leading WordPress security expert. As of September 2021, they charge $490 to clean a hacked site. Prevention is simply less costly in every sense.
An Ounce of Prevention
The good news is that simple prevention practices go a long way towards reducing your risk of getting hacked.
Choose a Hard to Predict Username
Your username for logging in to your Dashboard should not be “admin.” It should not be your name, your website’s name, or anything else that appears on your website. It should not be the correct spelling of a word (use creative or phonetic misspellings). It should include numbers as well as letters. WordPress usernames are not case sensitive, and cannot include most special characters, so make the most of length and a unique letter/number combination. You can also use your email address to log in to WordPress, so try to avoid putting that same email address anywhere on your website, or anywhere else that hackers may be able to easily find it in an internet search.
Create a Strong Login Password
Strong passwords are a must. Automated hacking tools can analyze likely words and phrases from your website content and zip through multiple login attempts like lightning. Use a password generator, and have your browser or a password manager such as LastPass remember it so you don’t have to enter it every time. Your password should be at least 24 characters long, and should include upper and lower case letters, numbers, and special characters. It should be unique – recycling is an excellent thing, but not for passwords!
Back Up Regularly
Protect your investment in your WordPress website – back it up! Do not rely on your webhost to do this for you – the fine print of all hosting plans will tell you they accept no responsibility for backing up your content. A good host has redundant backup systems, but mistakes can happen (and not all hosts are good). Realistically, a large webhost with thousands of servers containing tens of thousands of sites will never be as invested in your website as you are.
There are numerous backup options. The right one for you will depend on your particular site and needs. Save your backup files in at least two places (three is better) that are in different physical locations that are far enough apart not to both be affected by a local natural disaster. Your backup schedule should take into account how often your site files change. Remember that you are changing your website files when you perform updates to themes, plugins, or WordPress, even if you haven’t added any new content. Back up at least once a month, and keep at minimum your last 4 backups.
Since hackers can identify vulnerabilities in old versions of themes and plugins from updates, it’s important to install updates as soon as they are released. Updating is easy – just check a box and click a button.
WordPress itself is updated several times a year. Minor updates are usually automatic, but you will need to log in to your Dashboard to install major updates. A security plugin (see next section) can email you alerts when an update becomes available.
It’s possible to automate updates, but updating manually is quick and easy, and is a great way to stay in touch with your site. If an update causes a problem, you notice it immediately and know which update caused it. With automatic updating, a problem can go unnoticed for weeks or months, which makes the cause harder to identify. However, if you aren’t likely to update promptly, this risk may be outweighed by the security advantage of keeping your site current.
Use a Security Plugin
The first thing I install on a new WordPress website is a security plugin. There are excellent, free security plugins that protect your site in a myriad of ways. For example, they can scan your files regularly to check whether they match the files in the WordPress repository, and email you if there’s a discrepancy. They can alert you to needed updates. They can notify you whenever someone logs in to your Dashboard. They can lock out hackers who try to log in, and show you the usernames they tried.
If you are not very technical, you may occasionally need assistance from someone more experienced with WordPress to decide how to respond to alerts from your security plugin. Don’t let this stop you from installing a plugin, however. It can dramatically improve the safety of your site.
Learn to Maintain Your Website
Following the 5 practices above makes your site much more secure against hacking, and keeps you better prepared to restore your site if anything does happen. Automatic update options for most themes and plugins is now built in to WordPress, or I can set up email notifications to prompt you when updates are available, and teach you how to perform them. I can also set up automated backup jobs, so all you have to do is download the backup files once they are created. Or, we can even set up automatic uploads of your backups to cloud storage.
If you would prefer to turn your site maintenance and monitoring over to someone else, my maintenance plan includes responding to security alerts, performing updates, and downloading copies of your backups.
This article applies primarily to self-hosted WordPress sites. Security and updates are managed for you on WordPress.com sites. You can help out by using good usernames and strong passwords. It is still a good idea to download backups of your content, no matter what platform you use for your website.